Re: [PR] feat: support guest-token revocation per embedded dashboard [superset]

Tue, 09 Jun 2026 17:57:10 -0700 


rusackas commented on code in PR #40676:
URL: https://github.com/apache/superset/pull/40676#discussion_r3384770101


##########
superset/security/manager.py:
##########
@@ -3681,6 +3684,43 @@ def get_guest_user_from_request(self, req: Request) -> 
Optional[GuestUser]:
 
         return self.get_guest_user_from_token(cast(GuestToken, token))
 
+    @staticmethod
+    def _is_guest_token_revoked(token: dict[str, Any]) -> bool:
+        """Return True if the token predates a revocation on any of its
+        embedded-dashboard resources (``guest_token_revoked_before``)."""
+        issued_at = token.get("iat")
+        if not issued_at:
+            return False
+
+        # pylint: disable=import-outside-toplevel
+        from superset.daos.dashboard import EmbeddedDashboardDAO
+
+        for resource in token.get("resources") or []:
+            if resource.get("type") != GuestTokenResourceType.DASHBOARD.value:
+                continue
+            embedded = EmbeddedDashboardDAO.find_by_id(str(resource.get("id")))
+            revoked_before = getattr(embedded, "guest_token_revoked_before", 
None)
+            if revoked_before is not None and issued_at < revoked_before:

Review Comment:
   Good catch. A guest-token dashboard resource id can be either an embedded 
UUID or, during the UUID migration, a legacy dashboard id (per 
`validate_guest_token_resources`, which falls back to `Dashboard.get(...)`). 
The revocation check only resolved the UUID form, so legacy-id resources 
skipped the cutoff. Fixed in 153c4ece3d: `_is_guest_token_revoked` now resolves 
the embedded config(s) for both forms (UUID via 
`EmbeddedDashboardDAO.find_by_id`, else `Dashboard.get(id).embedded`) and 
honors `guest_token_revoked_before` in both cases. Added unit tests for the 
legacy-id path and the unresolvable-resource case.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to